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(54) Method and apfKiratus for data verification 

(57) A token 12 creates utilization history informa- 
tion and sends the information to an information 
processing unit 1 1 and simultaneously creates an verifi- 
cation value and stores the value in a utilization-value 
hokjing unit 21. The information processing unit 11 
records the utilization history information in a history 
hokiing unit 16. On receiving a verification-value output 
request from the information processing unit 11. the 
token 1 2 provides the verification value with a signature 
and outputs the combination of the verification value 
and the signature. The information processing unit 
sends to a recovery unit 13 the verification value with 
the signature as well as the utilization history infonna- 
tion. The recovery unit 13 verifies the signature and also 
the utilization history on the basis of the verification 
value further. 
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Description 



BACKGROUND OF THE INVENTION 
5 1 . Held of the Invention 

The present invention relates to the technology of verifying data and more particularly to data-verifying technology 
fit for use in general information processing units designed to transmit or hold a large continuous number of data 
groups, for example, a utilization history in security 

10 

2. Description of the Related Art 
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With the recent progress of dgital information processing techncrfogy. an idea of information highway and so forth 
the time has come at last in that every sort of Infomiation is digitized, and the cfigital information is distributed and cir- 
culated thrcaigh networks. The distribution and circulation of various kinds of information in the form of images anima- 
tions, voice, programs and the like, to say nothing of character informatioa have already been started via Internet 
telecommunications-personal corrputer or in the form of CD-ROMs. 

However, the digital information in the form of characters, images, animations, voice, programs and the like is of no 
value unless such information is utilized because it is different from physical matter and unsubstantial and easy to copy 
at low cost Despite the features mentioned above, however, restrictions have been imposed on the copying of what is 
owned by someone once because one is to pay therefor at present. In other words, there is suspicion that easiness of 
copying and that easiness of copying at low cost that feature the digital information to the fullest extent are confined by 
arl>itrary rules. ^ 

In order to solved the foregoing problems, there has recently appeared a system of making digital infomiation uti- 
lizable by decrypting the infomnafion. More specifically the digital information as represented by programs is encrypted 
so as to render tiie information freely distributable and when the information is utilized, each user receives a decrypting 
key after paying a price therefor. In view of the fact that information is of no value unless it is utilized moreover there 
has also been proposed a system of charging a payment for the utilization of information such as a software service 
system as disclosed in Japanese Patent Publication No 95302/1994 and an apparatus for measuring the quantity of 
30 utilized information as disclosed in Japanese Patent Laid-Open No. 21276/1995. 

With the aforementioned technologies, users are not asked to buy software when the software as represented by 
programs is utflized over personal conputers and workstations but while they are able to acquire tfie software free of 
charge or at a moderate price, charged with a payment in prcportion to the quantity utilized, for examrie each time the 
software is utilized. 

In order to charge a payment for the utilization of infomiation. tiie charge has to be paid by each of the individual 
users, depending on the frequency of use. In a certain case, the charges collected in a lump have to be distributed to 
infomnation providers in proportfon to the frequency of use. Consequenfly the utilization history in the user environment 
has to be recorded in security and also recovered in safety. 

Nevertheless, though a utilization meter functioning as what records a utilization history has been mentioned m 
Japanese Patent Laid-Open No. 21276/1995. no reference has been made of how to recover the quantity of utilization 
actually recorded therein. 

There has been proposed a method for ttie aforementioned purpose which is not to use a recording device under 
the control of an information processing device, for example, a hard disk with which the user utilizes tiie utilization his- 
tory but to use an independent safety device. According to Japanese Patent Pulrfication No. 95302/1 994 for example 
45 a utilization history is to be written to an IC card. . ^ , 

In a chargeable information ti-ansmitting system according to Japanese Patent Laid-Open Na 25605/1991 and a 
chargeable information collecting system according to Japanese Patent Uid-Open No. 1 80762/1 994 chargeable infor- 
mation is recovered through networks. 

When a history written to a safety device such as an IC card is recovered, there has been proposed a method of 
so using a network or allowing a collector having a proper right to collect the history directiy from such a device 

Under tfie method of collecting the history through the networic. however, no consideration has been given to 
safety; the safety of chargeable information, tiiat is. ttie possibility of falsificaffon of chargeable information on the way 
or otiienwise the possibility of transmission of dshonest ^rgeable information from any one of the users Therefore' 
the problem is tiiat the aforementioned method remains unapplicaWe. in view of safety, to internet open to the general 
55 public, though it ts applicafcrfe to in-house networks tiiat can be relied upon to a certain degree 

In order to safely recover the history in tiie form of an 10 card in the apparatus, it has been the only way that a col- 
lector having a proper right to collect tiie history directiy tiierefrom. 

With the recent devefopment of encrypting technology, however, ttie use of dgital signature technology in particular 
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makes it possible to solved the aforementioned problem. More specifically, a private key peculiar to the safety device is 
enclosed therein and when a user wants to retrieve data from the safety device, the user is always called for p'oviding 
a signature, whereby whether or not the data is right can be confirmed later by verifying the digital signature accompa- 
nying the data. 

5 A technique of using RSA (Rivest-Shamir-Adleman) cryptosystem for digital signatures is widely known. However, 

signatures by means of RSA or any other digital signatures generally need a large cpjantity of calculations artd so do a 
great deal of time per process normally Therefore, a serious prot>lan is posed when a signature has to be provkjed for 
continuous data in great quantities or when a computer with low calculating capability is used for prxx:essing signatures. 
When the IC card is used as a safety device for recorcfing the utilization history, the calcu^ting capability of CPU 

10 mountable in such an IC card is often rather low in general and the pr*lem is that a great deal of time is required when 
the CPU is used to can^y out a large quantity of calculations. If. however an attempt is made to increase the calculating 
capability in order to raise the calculatirtg speed, this arrangement will become extremely costly. 

Thare also exists a problem arising from a recording capacity when total data concerning the utilization history is 
recorded in a small device like the IC card because the data regarding the utilization history is usually of great length. 

15 The security of nrodem encryption technology including the RSA is originally based on the quantity of calculations, 
and the length of the key used for a signature and cryptosystems is arranged so that it is increased as the capablities 
of the conputer increase. Consequently, tfiis problem is not n^ade solvatrfe by only increasing the capabifities of a com- 
puter in future but still remains essentially to await a solution since use can be made of equipment {e.g.. a personal 
token) only capable of employing a computer whose processing perforrr^nce is far low in corrparison with the highest 

20 performance that can be offered by the newest model of computer of the day. 

SUMMARY OF THE INVErsiTION 

An object of ihe present invention made in such circumstances as descn'bed above is to provide a method of mak- 
25 ing possftjle the creation of data verifialile at high speed even by an apparatus having low calculating capability. 

More specifically, the total utilization history is not held in an IC card but only verification values obtainable from the 
utilization history are held in the IC card, and the utilization history proper is held on the part of an information process- 
ing unit (e.g.. a personal computer or the like) to be controlled by a user. 

Referring to the prior art in view of tiie verification values, there is technology employed for data comnnunication, 
30 called DES-MAC. MAC is an atoreviation of Message Authentication Cryptosystem having a predetermined length 
showing tiiat a message is conplete (i.e.. any message that has not been alteral dishonestiy). The cryptosystem is 
used after being attached to an original messaga Since the occurrence of an error during the data communication is 
fatal, an arrangement is made so that a change in data during the data communicatiOT can be detected. 

Further. DES is an abbreviation of Data Encryption Standard, which is a block encryption algorithm (Applied Cryp- 
35 tography pp 265) with 64 bits used for one block. A CBC (Cypher Block Chain) mode (Applied Cryptography pp 193. 
JIS-X5051) is one kind of way of using trfock cryptosystems as represented by DES. that is, a system of not encrypting 
an individual block independently but of exdusively ORing a trfock encrypted immediately before and a Wock to be 
encrypted next so as make the value otrtained a DES input. Even when fc>locks having the same contents under this sys- 
tem are encrypted arxj when the trfock tiiat has been encrypted until then is different, the encrypted result will also 
40 become diflerent 

The DES-MAC (Refer to Applied Cryptography pp 455 for CBC-MAC) is an application of the CBC mode in the 
DES. according to which the trfock obtained last is used for the verification value of the total data stream 

Fig. 21 shows an arrangement of DES-MAC. A stream of data to be transmitted is shown in the upper portion of 
Fig. 21 arKi the data stream is divided into btocks each having 64 bits. IV is an abbreviation of Initial Vector representing 
45 an initial value formed of random numbers. The blocks resulting from the division is passed in a chain through DES 
encryptors as in the DES-CBC mo6e by adding IV to tiie head of the data stream and the block obtained last to the last 
position thereof as the verification value of the data stream for transmission. On the reception side, a verification value 
is obtained by performing the process in reverse order and corrpared with the value received for verification. 

The processing method I3<e this is k>asically interxled for data transmission by means of communication. Since a 
50 sender sets it forth as a premise to hold complete data in a short time with certainty, there will develop a problem if the 
premise is applied to the recovery of a complete history. This is because history data are accumulated over a long 
period of time, during which the data may arbitrarily t^controlled by users or the system may have accidents and thus 
be exposed to danger. 

To begin with, the aforementioned system (DES-MAC) is base on tiie assumptiori that the data blocks are continu- 
55 ously transmitted. In other words, for the transmission of ordinary data, there exists a lower layer (equivalent to a TCP 
layer in TCP/IP: transmission control protocol/lnternet protocol) and the order of data blocks is assured by tiiat layer. 

If. however, the utilization history is put under the control of the user, the order of histories becomes unassured at 
that point of time; that is. the user is allowed to use the IC card by connecting it to a plurality of computers (e.g.. a desk 
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top PC. a lap top PC. etc.) that the user can use. When it is into consideration that the utHizahon history is recorded on 
the computer side, thetitilization history is scattered in the plurality of computers. Consequently, the history thus scat- 
tered in the plurality of conputers is deprived of the order in terms of tima 

In the case of a utilization history, the time order is an extremely important laetdr. In other words, the usage may be 
5 ca culated later from the plurality of continuous histories. For exanple. there are cases; namely, a simple case where 
utiization time is calculated from the difference between utHizalion start time and utilization end time; another case 
where the usage is determined by calculating a difference in data length from data length as an otjject of operation at 
the utilization start time and from data length as an object of operation at the utiBzation end time; and so forth 
The DES-MAC tes furnished no substantial solutions to the foregoing problems. 

10 '^^"f^er problem arising when the utilization history is put under the control of the user is that part of the u^^ 

history may be lost intentionally or by acddenL In the case of DES-MAC. verification will become impossible if part of 
the Utilization histoiy is lost Since the DES-MAC is based on the assunption fliat the sender holds complete data only 
during the communication, carrying out refransmission will settie the case. However, ttie loss of the utilization history 
mearK me s^farrtal loss of data and therefore the restoration of the history becomes iirpossible. The still continuoiK 
ts use of tfie DES-MAC system makes infeasiWe even «ie verification of the remaining data 

w T^®"" charging a payment for the usage, further, it is prerequisite for the user to recover the history left on 
hand. Unless the history is recovered, there will develop a problem of rendering uncalculable the utHization fee charged 
against the user or ottienwise rendering the collected utilization fee undisbibutable to infbnnation providers 

Thus, the utilization history left wHh the user has to be recovered safely and to tills end, it is avoided that tfie utifi- 
20 zabon history is recovered urvJer false recovery instructions. 

An object of ttie present invention is therefore to provide an apparatjs capable of verifying lengthy data quicWy even 
with Its low calculating capability and small storage capadly 

Further, a second object of ttie present invention is to provide a method of making data order restoraWe even in 
such an environment that the order is not preserved. 

Further a tfiird object of ttie present invention is to provide a method of making the remaining data verifiable even 
when part of the data is lost 

Furttier. a fburtii object of the present invention is to provide a method of controlling a data-holding apparahjs safely 
from tfie outside. 

In order to solved the foregoing problems according to the present invention, basically data is not recorded in a pro- 
tective apparatus to reduce ihe quantity of data to be held but output from ttie protective apparatus outside and verifi- 
cation values small in data quantity are held in tfie protective apparatus instead. More specifically, unidirectional 
functions in place of digital signatures are used for verification so ttiat data may be verified quickly When hash functions 
r^esertmg MD5 are realized in software, hash values are said to result in proving ttiat they are higher in speed by 
three digits than ttie encrypting process of RSA. in order to make the order of history data restoraWe. further, restoiable 
infomiation is added to ttie order of history data. More specifically, it has been ananged ttiaf the value provided with a 
signatore of a right person is necessitated witfi respect to tfie verification value held by ttie protective apparatus 
whereby the vesication value in the protective apparatiis is forcibly sent to ttie right person to ensure ttiat ttie verifica- 
tion IS effected. 

A description will subsequently be given of ttie constitution of ttie present invention. In order to accomplish tfie 
ot^ects above according to ttie present invention, a data verifying mefliod comprises the steps of: creating a verification 
value ofa data body inside a protective apparatiis from a verification value of ttie relevant data body out of a plurality of 
date bodies generated in sequence and a verification value of a data body preceding ttie relevant data body, creating a 
verification value witti a signatiire by adding a digital signabire inside ttie protective apparatus to the verification value 
created for ttie last data body out of ttie plurality of data bodies to be verSied at a time, sending tiie verification value 
with the signature outside from ttie protective apparatiis, and verifying ttie plurality of data bodies based on ttie plurality 
of data bodies and the verification value with the signature. 

Witti ttiis arrangement, it is only needed to provide the verification value with ttie digital signature even tfiough ttie 
calculating capabiTity is low Since the verification can be calculated from ttie verification value witti respect to the pre- 
ceding data body and ttie data body ttiis time, ttie processing is perfomiaNe as tong as one data body and one verifi- 
cation value are holdable. which means the storage capacity may be small. 

In ortler to accomplish ttie objects above according to ttie present invention, furttier. an apparatus for creating data 
to be venfied is provided witti: means for generating data bodies in sequence, verification value holding means for hold- 
ing venfication values, verification value creation means ^ creating a new verification value from the verification value 
hew in the venfication value hoUing means and a newly generated data body and updating ttie verification value held 
in tfie venfication value holding means to ttie new verification value, and signature means for attaching a signature to 
the verification value held in ttie verification value holding means at predetermined timing, wherein ttie verification value 
creation means, ttie verification value holding means and ttie signature means are installed in a protective apparatiis 
Even with ttiis arrangement it is only needed to provide tiie verification value witti the digital signatiire even tfiough 
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the calculating capability is low. Since the verification can be calculated from the verification value with respect to the 
preceding data body and the data body this time, the processing is performable as long as one data body and one ver- 
ification value are holdable, which means the storage capacity may be small. 

In order to accomplish the objects atxive according to the present inventon. further, there are provided a plurality 

5 of data tjodies generated in sequence, means.fbr receiving a verification value with a signature reailting from providing 
a signature for the verification value calculated from the plurality of data Ixxli^. signature verifying means for verifying 
the signature on the verification value received, and verifying means for verifying the conrectness erf the plurality of data 
bodies received from the verification value with the signature verified by the signature verifying means. 

With this arrangement the quantity of calculations is r^Jucible since the verification of the signature is effected for 

70 only the verification value with the signature. 

In order to accomplish the objects atx>ve according to the present invention, further, a history holding method is 
used for holcBng in a protective apparatus only a verification value resulting from sequential calculations with reject to 
a group of history data comprising a plurafity of continuous history data, and providing a agnature for only the verifica- 
tion value when the verification value is output from the protective apparatus outside. 

75 With tNs arrangement, not only the quantity of calculaticms but also the storage capacity can be suppressed. 

In order to acconrpfish the objects above according to the present invention, furth^, a history holding aii^ratus is 
provided with: data input means for inputting a plurafrty off continuous data, data processing means for processing the 
data, verification value creation means for creating a verification value with history data relevant to the data processing 
and the verification value held at this point of lime as inputs, verification value holding means for fiotdng the verification 

20 value thus created, and signature means for provicfing a signature for the verificaticvi value, wherdn the verification 
value creation means, the verification value holding means and the signature means are at least installed in a protective 
apparatus. 

With this arrangemerrt, not only the qi^ntity of calculations but also the storage capacity can be suppressed. 
With tfiis arrangement likewise, unidirectional functions may be used for calculations applicable to the verification 

2S value creation means. The history data may be in the form of a combination of the history data body and the verification 
value at the time the history data is processed. Further, counter means for doing counting each time data ^ processed 
may be provided and the history data in the history data group may be in the form of a combination of the value of the 
counter when the data is processed and a history body The verification value with the signature may be output in com- 
pliance with a user's request The history holding means may corrprise a single CPU with software and when the load 

30 of the CPU applied by the data procesang means is low, the sigrrature means may creates and outputs tfie verification 
value with the proper signature. 

With this arrangement further, function stopping means m^ be provided ard used for stewing the function of the 
data processing means at a poirtt of time the verification value is output until a proper instruction is given from the out- 
side. Halt condition holding means niay be provided and used for stopping the function and when the conditions 

35 described in tiie halt condition holding means are met the function halt means may output the verification value with 
the signature written thereto and step its function. Furtiier. proper pufcdic4tey holding means may be used for holding a 
public key of an external right person, and ttie function halt means nray verily tiiat an accepting iretruction is intended 
to restore the function corresportding to the lastiy-output verification value provided with a digital signature made \^ the 
external right person and that by verifying the signature with the public key held by the proper public-key holding means 

40 at the time of receiving the instruction, whether or not the verification value with the signature is equal to the verification 
value held by the verification value holding means. 

In order to accomplish -the objects alxrve according to the present invention, further, a history verifying apparatus 
may be provided with; data input means for inputting a verification value with a signature, the signature b^ng provided 
for the verification value calculated from a plurality of continuous history data in group arxl from the data groups, signa- 

45 ture verifying means for verifying the signature of the verification value thus received with the signature, and verifying 
means for verifying the correctness of tiie data group received from the data group received and the verification value 
whose signature has been verified. 

With this arrangement, the quantity of calculations is reducible since the verification of the signature is effected for 
only the verification value with the signature. 

so With this arrangement, forther. previous verification value storage means may be provided and used for storing the 
verification value received the last time, and the verifying means may employ the previous verification value when mak- 
ing verification. The calculations for use in the verifyijjg means may be based on unidirectional functions. The history 
data may be in the form of a combination of the history data body and tiie verification value at the time the history data 
is processed. The history data in the history data group may be in the form of a cortTbination of tfie value of the counter 

55 when the data is processed and a history body. 

In order to accomplish tiie objects above according to the present invention, further, a history holding apparatus 
may be provided wifli: data storage means for holding data, halt condition holding means for holding predetermined 
conditions at the time the function is stopped, function halt means for stopping the function when the conditions held in 
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the halt condftion hoWing means are met and keeping the functbn stopping until a proper instruction is received from 
the outsde. private-key tolding means for holding a private key. digital signature means for provding a digital signature 
using the pnvate key held in the private-key holding means for the data group held in data holding means, digital signa- 
ture holding means for holding the digital agnature affixed, and proper piijlic-key hokfing means for holding the public 
key of an extemal nght person, wherein the function halt means may verify that an accepting instruction is intended to 
restore the function corresponcfing to the digital signature provided by the external right person for the digital signature 
held in the digital signature holding means and that t>y verifying the signature with the public key held by the proper pub- 
lic-key holding means at the time of ^ecei^flng the instruction, whether or not the value with the signature is equal to the 
value held by the digital signature holding means. 

With this arrangement, the instruction with the signature of the proper person is not sent until the correctness of the 
history is verified, and the halt state of the apparatus is not release not until the correctness of the instruction is verified 
TTierefore. no inconvenience arises from the provision of service while the con-ect history ren^ins unrecovered In other 
words, it is ensured that the correct history is recovered. 

According to the present invention, electronic equipment is provided with: function halt means for stopping at least 
part of the function of an electronic equipment body when predetennined conditions are met. means for oufputting pre- 
determined data outside, means for receiving data with a signature, the data being created by providing the signature 
for the predetermined data, signature verifying means for verifying the signature with respect to the data with the sig- 
nature, and means for releasing the halt state of that part of the functfon when the correctness of the signature of the 
data with the signature is verified by the signature verifying means. 

With this arrangement the use of the electronic equipment is not made to continue until the con-ectness of the data 
is verified, so that correct data is secured. 

Further, the present invention can be in^lemented by appropriating part thereof to a conputer pnDgram product 

The above and other objects and features of the present invention will be more apparent from the follouving descrip- 
tion taken in conjunction with the accompanying drawing. 

BRIEF DESCRIPTION OF THE DRAWIN<^Q 



Rgure 1 is an overall block diagram of Embodiment 1 of the present invention; 

Figure 2 is a block diagram showing the construction of an information proce^ng unit 11 of Rg. 1 ; 
30 Rgure 3 is a block diagram showing the construction of a token 1 2 of Rg. 1 ; 

Rgure 4 is a diagram explanatory of a utifization-value holding unit 21 of Rg. 3; 

Rgure 5 is a block diagram showing the construction of a recovery unit 13 of Rg. 1 ; 

Rgure 6 is a diagram explanatory of information to be decrypted in the token 12; 

Rgiffes 7A and 7B are diagrams explanatory of the construction of a utilization history; 
35 Rgu-e 8 is a flowchart explanatory of processing to be performed in the control unit 14 of the information process- 
ing unit 1 1 when a request for the utilization of information is received from a user; 

Rgure 9 is a flowchart explanatory of processing to be perfomied in the control unit 14 of the information process- 
ing unit 1 1 when an instruction for the recovery of the utiRzation history is receved from a user; 
Rgure 10 is a flowchart explanatory of processing when the decryptor unit 19 of the token I2'receives a request 
40 for decrypting encrypted information from the information processing unit 11; 

Rgure 1 1 is a flowchart explanatory of processing to be performed in ttie utilization-value creating unit 20 of ttie 
token 12 which is called from the decryptor unit 19 of the token 12; 

Rgure 1 2 is a flowchart explanatory of processing when the utilization-value output unit 22 of the token 12 receives 

a verification- value output request from the information processing unit 1 1 ; 
45 Rgure 1 3 is a block diagram showing tiie construction of the token 1 2 in EmlxxJiment 2; 

Rgure 14 is a flowchart explanatory of processing to be perionmed in the token 12 of Rg. 13; 

Rgure 15 is a flowchart explanatory of processing to be performed in the token 12 of Rg. 13; 

Rgure 16 is a flowchart explanatory of processing to be performed in the token 12 of Rg. 13; 

Rgure 17 is a block diagram showing the function block materialized in the information prx)cessing unit 11 in 
50 Embodiment 2; 

Rgure 18 is a block diagram showing tfie construction of ttie recovery unit 13 in Embodiment 2; 

Rgures 19A to 19E are diagrams showing the construction of the utilization history in Embodiment 2; 

Rgure 20 is a diagram explanatory of another construction of ttie utilization history in Embodiment 2- and 

Rgure 21 is a diagram explanatory of relevant technotogy. 

55 

DETAILED D ESCRIPTION OF THE PREFERRED EMBODIMEMT?; 

Now. a description will be given in more detail of preferred embodiments of the invention witti reference to the 
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accompanying drawings. 
(Embodiment 1) 

5 Embodiments of the present invention will subsequently be described. Rrst, Embodiment 1 of the present invention 

will be described. In a system to be descril>ed in Embodiment 1 of the present invention like any other systems accord- 
ing to the present invention as those which will be described later, general digital information such as programs and 
image information that are encrypted and distrtouted is utilized in an information processing unit like a personal compu- 
ter or a workstation by means of an IC card (herdnafter called the TokenT connected to the inftsrmation processing unit 

10 in order to record the utilization history then by seizing timing at which the information is decrypted, wherry to make 
the center recover the utilization history. Needless to say, the present invention is applicable to any task other than 
securing history data. 

Rg. 1 shows an overall system configuration according to this embodiment of the inventfon. In Rg. 1 , tiiere is shown 
an information processing unit 1 1 like a personal computer or a workstation for use in utilizing digital inforrration in the 
15 user environment and in order to decrypt encrypted information (or to decrypt a key for decrypting, a token 12 for 
recording the utifization history by seizing the timing is connected to the information processing unit. The token 12 and 
the infomr^tion processing unit 1 1 may be connected via any means capable of transmitting information such as a PC 
card (PCMCIA: Personal Computer Memory Card Interface Association) interface. serial/^>araliel. an infrared ray and 
the like. The token 1 2 may be pad^ged in the information processing unit 11 . 
20 The user's information processing unit 1 1 is connected to a reoova^y unit 13 constituted of an information process- 

ing unit such as a workstation or a large computer on the center side. The connection may be in the form of a modem- 
to-telephone line or a network interface like Ethernet The connection is not maintained at all times and may be made 
only when the recovery of the utilization hfetory from the user's information processing unit 1 1 . 

Rg. 2 shows the coretruction of the information processing unit 1 1 on the user skJe. The user's infc»^mation 
25 processing unit 1 1 may be a personal computer or a workstation for general use. The only cfifference^ that the token 
12 is connected to the information processing unit 1 1 . The information processing unit 1 1 includes a control unit 14, an 
information holding unit 15, a history holding unit 16 and an information tiansnrwssion unit 1 7. Witti this arrangement, a 
recording mecfium 11a stored with a program, for example, is used to install the program. 

While communicating witii tfie token 12. the control unit 14 performs the foOowing processes including: 

30 

(1) reading the encoded inforrrration stored in the information holding unit 15. transferring the inforntation to the 
token 12 for decrypting purposes and executing or processing the information; 

(2) receiving ttie utilization history transferred from the token 12 simultaneously when the decrypted data is 
received and storing the utilization history in the hetcny holding unit 16; and 

35 (3) issuing a Verification value output" command to the token 12 on receiving an rnstixjction from the user and 
transferring the utilization history provided with a digital signature to tiie information tiBnsmission unit 17. 

The information holding unit 1 5 is stored with data, information or decrypted data to be utilized by the user. Actually, 
the information holding unit 1 5 is fomnal with an external storage device like a memory or a hard disc device. 

40 The history holding unit 16 is stored with the history transferr«l from the token 1 2 via the control unit 14. Actually, 
the history holding unit 16 is formed with an external storage device like a memory or a hard disc device. The specific 
construction of a history wilt be described later. 

On receiving the command from the control unit 1 4, the information transmission unit 1 7 reads out the history held 
in tiie history holding unit 16 together with the utilization history transferred from tiie control unit 14, and transmits tfie 

45 history to tfie recovery unit 1 3 of the center. The information transmission unit 1 7 is actually constituted of a modem and 
a telephone line or a network interface such as Ethernet. However, a device such as a f foppy disc instead of Ethernet 
is used to store the data, so that the user may manually input it to the recovery unit 1 3 of the center. 

Rg. 3 shows tiie construction of the token 12 on the user side. The token 12 is physically and generally constituted 
of MPU, a merrory and the like. The token 12 itself is contained in a container resistant to a physical attack from the 

so outside. Since the attach-resistant container is technologically well known (Japanese Patent No. 1860463. Japanese 
Patent Laid-Open No. 1 00753/1 991 . etc.), the description thereof will be omitted. To what extent the container is resist- 
ant varies with the degree of security off the data inyq^^. There is a case where tiie preparedness for such an attack 
may be weak. 

The token 12 is connected to the user's information processing unit 11, performs predetermined processing 
55 according to an instixiction from the information processing unit 1 1 and returns the result thereto. The token 12 com- 
prises a user private-key holding unit 1 8. a decryptor unit 1 9. a utilization-value creating unit 20. a utilization-value hold- 
ing unit 21. a utilization-value output unit 22. a token jDrivate-key holding unit 23. a digital signature unit 24 and so fortii. 
Each of the components of the token 12 will be described later. The token 12 has the following functions: 
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(1) Information decrypting function witfi holcfing of the utinzation history including; 

(i) receiving encrypted data from the information processing unit 11. decrypting the data witii the private key 
stor^ in the user private^^ey holding unit 18. and returning the decrypted data to the information processing 
unit 11; ^ 

00 performing the decrypting process simultaneously wHh refemng to the header of the decrypted data and the 
Identifier written thereto, and returning the identifier to the infonnation processing unit 1 1 as the utilization his- 
tory; and further 

(iii) transferring the utilization history to also utilization-value creating unit 20. and causing the utilization-value ' 
creating unit 20 to make calculations with respect to the utilization history and the verification value held in the 
utilization-value holding unit 21 at that point of time. 

(2) Verification value output function including; 

providing a digital signature for the verification value held in the utilization-value holding unit 21 at that point of 
time on receiving an output request from the information processing unH 11. returning the verification value 
with the signature thereto, and erasing the data in the utilization-value holding unit 21 . 

A description will subsequently t>e given of each components of the toten 12. 

In response to a decrypting request from the information processing unit 1 1 . the decryptor unit 19 peribrms the 
decrypting process using a private key peculiar to the user heU in the user private-key holding unit 18 and returns ttie 
result to the irrformation processing unit 1 1 as encrypted data. At this time, the decryptor unit 19 simultaneously read 
the header of the encrypted data, returns the information identifier written thereto to the information processing unit 1 1 
as the utiteation history and also to the utilization-value creating unH 20 (in tfiis example, the information identifier of the 
information utilized is used for the utilization history). 

With the arrangement Oke this, the user needs to gain access whenever utilizes inlbmiation. so that the utilization 
history is recorded without iai\. 

In this case, the encrypted data transfen-ed from the infonnation processing unit 11 may be what is formed by 
encrypting information itself or a key for decrypting the encrypted information. In the case of the latter the process of 
decrypting the information proper is performed on the side of the inforniation processing unit 1 1 

The user private-key holding unH 18 holds a private key peculiar to the user. Generally, tokens 12 are dstributed to 
usere in such a form that a key peculiar to each user is enclosed beforehand at the token issuing center. Therefore the 
users pnvate key remains unknown to the user himself. 

The utilization-value holding unit 21 holds only one verification value which is updated in sequence. Generally the 
verrficatron value IS a value having a fixed length of 16 bytes or the like. If a verifkation value has 16 bytes, only a mem- 
ory of 16 bytes is enployed. Fig. 4 shows an exanple of the formation of such a verification value 

u ^LT^"^ ^ verif ication value output request from the information processing unit 1 1 . tiie utilization-value output 
unit ^Wnctions as what reads the verificaBon value stored in the utilization-value holding unit 21 at that point of time 
and retonis the verification value to the information processing unit 1 1 . At that time, the utilization-value outout unit 22 
calls the digital agnature unit 24 and provides a digital signature for the verification value 

The distal signature unit 24 uses the private key held in the token private key holding unit 23 for holding a special 
private key for the token to perform the process of provWing a digital signature for the given value. The token private key 
holding unit 23 is a constitoentunit for hoWing the private key for thepurpose of signature used when a digHal signature 
IS made. For these constituent units, it is possible to use digital signature technology such as RSA signature, of which 
the description will be omitted because it belongs to tfie prior art 

On receiving the utilization history (the information identifier in this case) from the decryptor unit 19. the utilization- 
value creating unit 20 reads the verification value held in the utilization-value hoWing unit 21 and calculates a new ver- 
ification value from the utilization history and the verification value by making ttie foltowing cateulation. 

H = Hash (Usage + HoU) [Numerical Fonnula 1] 

"^^f " ^ : verification value. Hold = the present verification value. Usage = utilization history and Hash 0 = unidi- 
rectional function. hAD and SHA (Secure Hash Algorithm)=6eing actually employed, in this operation numerical val- 
ues may actoally be added up or exclusively ORed on condition that both have the same length or otherorise two data 
n^y simply be ananged in order: in any one of the above cases, it is essential for the two values are synthesized The 
Utilization-value creating unit 20 stores the new verification value thus calculated in the utilization-value hoWing unit 21 
(e.i.. frie new value is superscripted). 

On receiving the output request from the infonnation processing unit 1 1 . the utilization-value output unit 22 retiirns 
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the verification value held in the utilization-value holding unit 21 at that point of time and resets the utilization-value hold- 
ing unit 21 to a predetermined value or nnay simply dear the verification value thus held therein. 

The recovery unit 13 of the center will subsequently be descrtoed. Rg. 5 shows the construction of the recovery 
unit 13. As shown in Rg. 5, the recovery unit 13 comprises a history reception'uhit 25. a history holding unit 26. a history 
5 verification unit 27. a token put>lic-key holding unit 28. a signature verification unit 29 and so forth. The recovery unit 13 
causes the history reception unit 25 to receive the history sent from the information processing unit 11 of the user and 
stores the contents in the history holding unit 26. The utilization history stored is read by the history verification unit 27 
where it is verified whether or not the history is correct, and then the verified result is sent to an administrator on the 
center sida 

10 Thai the center norrrally calculates information uti&zation fees in accondance with the contents of the history, col- 
lects the fees from users and performs the process of distributing the utilization fees thus collected among information 
providers according to details of an information utilization history. Howe\/er. the description of this matter will be omitted 
because it is irrelevant to the essence of the present Invention. 

A description will subsequently be given of each of the conponents of the recovery unit 13. 

15 The history reception unit 25 receives the history information sent from the information processing unit 1 1 . Actually, 
like the history transmtsaon unit 17 of the information processing unit 1 1 (Rg. 2). the history reception unit 25 is con- 
stituted of a nxxiem and a telephone line or a network interface such as Ethernet or an information input d&nce from 
the outside such as a floppy disc. The utilization history received by the history reception unit 25 is stored in the history 
holding unit 26. 

20 In order to verify whether the verification value sent from the information processing unit 11 is correct further, there 

are provided the token putslic-key holding unit 28 and the signature verification unit 29. 

When a history is transmitted from the information processing unit 1 1 . the history reception unit 25 receives the his- 
tory. The history thus received is stored in the history holding unit 26 and transferred to the signature verification unit 
29. The signatjre verification unit 29 selects the public key of the token 12 connected to the information processing unit 
25 11 that fias sent the history from among the public keys of the ptiratity of tokens 1 2 stored in the token publk:-key hold- 
ing unit 28, and verifies the signature of the history using the pdbU'ic key The verified result is held together with the his- 
tory stored in the history holding unit 26. When the verified result is proved to be false, processing thereafter is 
discontinued since there is some possibility that the verification value has been altered dishonestly or fabricated and 
the adrrdnistrator outpaits to that effect and stops the processing. 
30 When the signature is verified, the following processing is continued: 

The history holding unit 26 holcfe the utilization history transfen^ed from the history reception unit 25 and the verified 
result The history holding unit 26 is actually formed of a storage device such as a memory. 

The history verification unit 27 verifies the history held in the history holding unit 26 as follows: 

35 (1) A series of Wstories transmitted are defined as udi . ud2. ud3...udn; 

(2) The verification value attached to the last position of the history is defined as hud; and 

(3) ProvkJed the initial value of the verification value is defined as ihud. it is exannined whether hud' resulthg from 
calculation becomes equal to the hud sent according to the following expression: 

40 

[Numerical Formula 2] 

hud' = Hash (ud^ + Hash(ud„.i • .Hash(ud2 + Hash (udl + 

45 ihud) ) . * O • ) 

hud = ?hud' 



so 

(4) If the equation is established, the verification value is judged that it has not been altered dishonestly but if not, 
it has been altered. The administrator of the recos«ery unit is then informed of the result 

A description will suljsequerrtly be given of the form of information to be processed in each unit. 
55 Fig. 6 shows a form of encrypted information as an object of encrypting in the token 12: (a) refers to a case where 
information itself is encrypted with a user's private key; and (b) to a case where the private key used for initially encrypt- 
ing the information proper is encrypted by a private key peculiar to the user before being decrypted and the private key 
peculiar to the information thus obtained is used for decrypting the information proper. In the case of (b). the information 
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proper may be decrypted by the information procesang unit, not by the token 12. Further, a public key may needless to 
say be used, though a description has been give of an example using a common cryptosystem. 

The information identifier is an identifier peculiar to the information given when the center encrypts the information 
for distribution. The information identifier is controlled by the center (e.g., witii Sfdatabase) and when the information 
identifier is specified, it is possible to spedfy a p^swi who has prepared the information, for example 

Figs. 7A and 7B show a form of utilization history: Rg. 7 A shows a form of the utifization history recorded in the 
infomration processing unit 1 1 according to this embodiment of the invention, that is. a train of information identifiers 
(tiie information decrypted by frie token) utilized; and Rg. 7B shows a form of the utilization history sent from the infor- 
mation processing unit 11 to the center, this form differs from that of Fig. 7A solely in that the verification value held by 
the token and the signature of tiie token witfi respect to tiie verif k:ation value are attached to the last position of Rg. 7 A. 

Although tiie individual utflization history is constituted of only the infomiatfon identifiers utilized according to ttits 
entoodiment of the invention, it nr^y include any cfata. for exanrple. utiOzation time, the identifier of the user, the quantity 
of utilizatfon. an utilization fee and so on. In ottier words, tiie present invention is effective when various Wnds of infor- 
mation are left as a history (various kinds of information are usually left as a history) since tiie individual history tends 
to become long. 

Refenring to Rgs. 8-12. tiiere will be given a description of processing performed In the information processing unit 
11 and the token 12. Rg. 8 refers to a processing ftow when a request for tiie utilization of infonnation is made from a 
user in the conb^oi unit 14 of the information processing unit 1 1. Rg. 9 refers to processing when an utilization history 
recovery instruction is given by the user in the confrol unit 1 4 likewise. Hg, 1 0 refers processing when tiie decryptor unit 
1 9 of tiie token 1 2 receives a request for decrypting the encrypted infonnation from tfie information processing unit 1 1 . 
Fig. 11 refers to processing in ttie utilizatran-value creating unit 20 of ttie token 12 when called by ttie decryptor unit 19 
of ttie tok&n 12. Rg. 12 refers to processing when the utilization-value output unit 22 of ttie token 12 receives a verrfi- 
cation-value output request from the information processing unit 11. 

As ^own In Fig. 8, the following processing proceeds in the control unit 14 of the information processing unit 11 
when a request for the utilization of information is made from tiie user. Rrst, a decision is made on whetfier tfie intended 
information has been encrypted (S1 1). If not encrypted yet. tiie infonnation as it stancfe is processed (SIS). If alre^ 
encrypted, a decrypting request is made to tiie token 12 so as to transfer tfie intended infonnation (S12). When an en-or 
is returned from the token 12. tiie processing is terminated after issuing an en^or message "ttie history of the token is 
fuir (SI 3. S16). If no error is returned, tiie utHization history fed from the token 12 is recorded in a recording unit such 
as a disc (SI 4). Then the intended information is processed (Si 5). 

As ^own in Rg. 9. the following processing proceeds in the control unit 14 of the information procesang unit 1 1 
when ttie utilization history recovery instruction is given by the user. Rrst, a decision is made on whettier ttie intended 
information has been encrypted (S21). If not encrypted yet, the infonnation as it stands is fxocessed (S24). If already 
encrypted, tiie decrypting request is made to ttie token 12 so as to tiansfer ttie intended information {S22). Then ttie 
utilization history returned from ttie token 12 is recorded in the recording unit such as a disc (S23). Thereafter, the 
intended information is processed (S24). 

As shown in Rg. 10, the following processing proceeds when ttie decriptor unit 19 of the token 12 receives a 
request for decrypting ttie encrypted information from ttie information processing unit 11 . Rrst a user private key Ku is 
taken out from ttie user private-key holding urtit 18 (S31). The encrypted data is decrypted witti ttie user private key Ku 
and ttie deaypted data is stored (S32). The header of tiie decrypted data is refened to so as to read an information 
identmer and with this identifier as a sittraction number, tiie utilization-value creating unit 20 is called and made to per- 
fonn verification-value creating process {S33. S34. see Rg. 11). Then ttie decrypted data and ttie identifier are sent 
back to the information processing unit 1 1 (S35). 

As shown in Rg. 1 1. tfie following processing proceeds when tiie utilization-value creating unit 20 erf tfie token 12 
receives a call from tiie decryptor unit 19 of tiie token 12. Rrst. tiie verification value is tak^ out from the utilization- 
value holding unit 21 (S41). The information identifier and the verification value are subjected to hash calculation, and 
the calculated result is stored in the utilization-value tiolding unit 21 as a new verification value (S42. S43). 

As shown in Rg. 12. ttie following processing proceeds when the utilization- value output unit 22 of ttie token 12 
receives ttie verification-value output request from the information processing unit 1 1 . Rrst. ttie verification value stored 
in tiie utilization-value holding unit 21 is read out (351). Then the contents stored in ttie utilization-value holcfing unrt 21 
are initialized (S52), Witfi ttie verification value thus read as a subtraction numl>er. ttie digital signature unit 24 is called 
so as to provide ttie verification value witti a signature {S^y The signatijre is affixed to ttie last position of ttie veriffoa- 
tion value, and the verification value with the signature is output (S54), 

The description of Embodiment 1 is terminated for the moment 

In a case where a user verifying apparatus and method as disclosed in Japanese Patent Application No. 
62076/1996 are combined with tiie present invention, modulo n can be used as an information identifier by varying ttie 
modulo n in tiie calculation of power residue each time an access ticket is issued. More specifically, in ttie user verifica- 
tion technique of Japanese Patent AppOcation No. 62076/1996. ttie access ticket (auxiliary information for verification) 
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is received from the outside, so that encrypted data, for example, is decrypted by ttie use of the access ticket and the 
user verification information. Further, the modulo q used then is used as an information identifier. In this case, the mod- 
ulo a is not taken out before being decrypted by the decriptor unit inside the token but given from the outside together 
with information as an object of encrypting. 
5 With this arrangement, the capacity of the utilization-value hokJing unit 21 that has to be prqjared within the token 

12 can be minimized and ther^y the production cost of the token 12 is also made redudbla 

(Embodiment 2) 

10 Emtxxliment 2 of the present irrvention will subsequently be described. Embodiment 2 described herein has sev- 
eral functions in adcfiton to those in Embodiment 1 . The functions and effects will be enumerated as follows: 

(1) The token 12 outputs the verification value and stops its function but recovers the function on receiving a mes- 
sage from the center. 

15 When the verification value is output outside or when a predetermined time is passed by the use of a dock 

function, the token 12 outputs the verification value arxl stc^ at that point of time to urge the user to recover the 
history (or may autonomously stops so as to demand a verification value). In order for the user to have the function 
of the token 12 recovered, the only way is to send the history and the verification value to the center for verifying 
purposes arKJ to receive a message for use in recovering the function from the center. The message issued bf the 

20 center for the purpose of recovering the function is formed by providing the verification value sent from the user with 
the digital signature added by the center. 

(2) The verif k:ation value is also output at a point of time the utilization history as its history is processed. 

Not only the information identifier but also the verification value at the point of time the history is generated is 
contained in the contents of the utilizatic^ history, wh^eby strict control off the history (order) on the information 
25 processing unit ^e can be dispensed with since the continuity of the individual history is made examinable. 

(3) An okt verification value is held on the center side. 

In the embodiments of the present invention ixp to now. the verification value within the tc^en has beoi initial- 
ized in compliance with the output request from the user. However, this function can be dispensed with by making 
the recovery unit of the center hokJ the preceding verification value of the user. 

30 

Fig. 1 3 shows the construction of the tokei 12 according to this enfeodiment of the inverTtion, wherein like reference 
characters designate like or corresponding parts of Fig. 3 and the det^led description thereof will be omitted. As shown 
in Rg. 13, the token 12 comprises the user pivate-key holding unit 18, the decryptor unit 19, the utilization-value cre- 
ating unit 20, the utiEzation-value holding unit 21 , the token i^-ivate k^ holding unit 23. the digital signature unit 24, a 

35 control unit 30. a history creating unit 31 . a calculating unit 32, a cerrter public-key hcdding unit 33, a signature verifica- 
tion unit 34 and so forth. A clock unit 35 may be provided, if necessary. 

It is arranged according to this enrtoodiment of the invention that communication with the information processing 
unit 1 1 is totally conducted via the control unit 30. which prcqseriy calls any other processing unit and performs process- 
ing in compliance with a request from the infomriation processing unit 1 1 . 

40 The control unit 30 holds the operating state of the token 12 theran. the operating stale Ijeing divided into two: a 
normal and a halt mode. In the normal mode, the token 12 pertorms the decrypting process as described in Embodi- 
ment 1 in conplianoe with a decrypting r«:iuest from the Information processing unit 1 1 . In the halt mode, on the other 
hand, the tokei 12 accepts no decrypting request twjt basically only a function restart request (verification value with 
the signature made by the center). The token 12 cancels the halt mode when the request is rightful arKl performs the 

45 process of transferring the halt mode to the rKjrmal mode (in addition, may also actuaOy perform the process of output- 
ting a verification value resulting from providing a signature fa- the verificatkjn value held in the utilization-value holding 
unit 21 at that point of time). 

Trartsf erring the normal mode to the haft mode depends on the number of times the decrypting process, for exam- 
ple, is performed. The calculating unit 32 of Fig. 13 holds the number of times the decrypting process is performed. 
so When that number of times exceeds a predetermined value (e.g.. 100 times), for exanrple, the control unit 30 returns a 
message "the time limit expired" to the information processing unit 1 1 and restores the halt mode. 

When a clock is installed, information as to the preceding halt time held vwthin the control unit 30 may be relied 
upon. In other words, on receiving a request from the information processing unit the control unit compares the preced- 
ing halt time held in the control unit with the present time and returns tiie message *^e time limit expired" to the infor- 
55 mation processing unit 11 when a predetermined period of time has passed (e.g.. one month), and restores the halt 
mode. 

Referring to Rgs. 14-16. there will be given a detailed description of processing to be perfbamed by the control unit 
30 of the token 1 2. Incidentally, the parts shown with dotted lines in Rgs. 14-16 represents not the process steps taken 
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by the control unit 30 but those taken by relevant constituent units. 

-^n rl"Z^,'rlt°!'^f the enCTypting. verification^ue output and function restart requests are input to the control unit 
30 of ttietoka^ 12from^e.nfbrmat,on processing unit 1 1. Rrst. a decision is made on whether Ihemode of the control 

IT* ^ example, too {S62, S63). If the count do4 not exceed 100 the f^ 

value a s.grature .s outpuL In other words, a value in the utilization-value ho^^^^ 

signature unrt 24.S caused to create the verification value with the signature, which.2 output (S64. S,e 

,11^ ^ • calculating unit 32 is cleared and the halt mode is restored (S67 S68) 

^c^tng request the verrf,caton-va!ue output request or the function restart request (S69. S70. S71) wme^Se 

11 and the processing ,s terminated (S72). When the request is the verification-value, the verification ,«lue^tf^ S 
zat.on-value hoWir^ unit 21 is read out and the digital signature unit 24 is caused to create the^S^n ^ 
the signature. wh«* ^output (S73. S74). Then the verif icatton value with the signature is returned to the"nfa^ 
proc^,^ unrt 1 1 . and the processing Is terminated (S75). When the request isL functfon restS requit 
tion restart process at a node A is Ibltowed. When the request received is not the encrypting request^ v;SaS^;- 

rfication^uethusdeliverediscompared with the verification vatueinS^^ 

m !fnJ lT H^!^ ^ ^ ""^^^ "^""^ '^"^ *° »^ process- 

ing unit 11 (S81. S82). If the signature is incorrect at Step S78. a message Incon-ect signature" is returned to the 
irrf^n^on pra^g unrt 1 1. and the processing is terminated (S83). When the verifica2,n value « SS2fst2rt a' 

^S^n,lT^J"S^^^ ^ ^^""^^^ *° 

Fig. 16 refers to a case where the count does not exceed a threshoW value, for example. 100 In Fig 16 whether 
°' 'T^ ^"^"3 '^"^ '"^^ <S85). When it is the encrypting ^qi^est flie dSvef J 

sent to the decryptor umt 19 (S88). The decryptor unit 19 carries out the encrypti^oirSnlsS sl^r^S^J 
equest b not the encryptng request, a decision is made on whether it is the SSiiSvvalue equest^)^rS 

o^orrJ'S?" t'"^ '^T"- '^'^^ to a node C Of Fig. 1 4 where the verificafion-vTue ouS^proci iL 

performed. When the request is not the verification-value output request at Step S86. an eiror is retumSio^S^ 
mation processing unit 11. and the processing is terminated (S87) e or is reiumea ro me inter 

The description of the processing in the control unit 30 of the token 12 is terminated for the moment 
Although It has been arranged to restore the halt mode even when the verification value request is made from the 
n^r^rRoT^wn"^ " accordingto this embodiment of the invention (transtorring fromaeTse o^ S^Se 

hid atZ^*^ f!^"^ ■»!!^r"':f^'°" ^"^ *^ "^^^ ^"^ ^ ^"^'^ P^°^«* for the verifSion valu^ 

Sfi^if^reSr^^n^i^r 

EmbSLrr;r;^v:^oT •^^^^-'^^ - ^^-^ - 

tion 311^^17 !^^l"""r ^ shown in Hg. 16. theprocess of generating three sets of the infbmia- 

Hu = Ha0(ud) [Numerical Formula 3] 

and^oring the calculated result in the utilization-value holding unit 21 . which holds flie verification value at ttiat point 

As in Embodiment 1 of the present invention, tiie digital signature unit 24 uses ttie private key held in ttie token ori- 
e key holding unit 23 holding ti,e special private key for the token to provide ti,e dig&lTgnSre "^.S^ Z 
value given. According to this embodiment of the invention, further, tiie signatore vernation unit 34 is prSd^ S,^ 
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to verify whether the signature deliverej by the use of the public key of the center held in the center public-key holding 
unit 33 is the signature of the center. Digital signature technology such as RSA signature is basically usable lor these 
constituent units; however, the detailed description thereof will be omitted as it ^ well krvswn technology. 

Fig. 1 7 shows the construction of the information processing unit 1 1 accoiding to this embodiment of the invention. 

5 wherein like reference characters designate like or corresponding parts of Rg. 2. 'As shown in Rg. 1 7. though the con- 
struction is substantially similar to what is shown in Enrd^odimertt 1 of the present invention, the token enters the halt 
mode at a certain point of time in the information processing unit 1 1 according to this embodimerit of the invention and 
in order to wake the function restart a history has to be transnr^tted to the center to cause the center to serKj the restart 
message accordingly. Therefore, a verification value recepticvi unit 36 for receiving a veriftcation value with a signature 

10 from the center is slightly varied. Further, the history held in the history holding unit 1 6 is also differerrt in construction. 
Rg. 18 shows the construction of the recovery unit 13 of the center according to this emtxxjiment of the invention, 
wherein like reference characters designate like or corresponding parts of Rg. 5. In comparison with the constitution of 
Emlxxiiment 1 of the present invention, since the verification value with the signature has to be sent to the information 
processing unit 1 1 when the correctness of a history Is verified, there are additionally in^led constituent units for the 

75 purpose; namely, a center private-key holding unit 37. a digital signature unit 38 and a verification-value-with-signature 
transmitting unit 39. As the utilization history sent from the information proces^ng unit 11 is different in construction, the 
history processed in the recovery cent^ naturally cfiffers. 

Figs. 19A to 19E show the construction of the utilization history held in each of the constituent units. 

Fig. 19A refers to the utilization history recorded in the history holding unit 16 of the information processing unit 1 1 . 

20 The contents of the ir^dividual history include two: a pair of information dentifier shown in Rg. 1 9C and verification value 
heki in the token at that point of time. 

When the history is sent from the information processing unit 1 1 to the center, the verification value with the signa- 
ture of the token is affixed to the last position of the line of the history shown in Rg. 19B. The verification value with the 
signature is output when the token 12 ceases to function and the token 12 provides the verification value with the sig- 

25 nature at that point of time shown in Fig. 190. 

The center enploys the verification value with the signature for verifying the history shown in Rg. 19D. \A/hen the 
correctness is proved as a r^ult of verification, the center provides the veriftcation value attached to the last position 
as a message for restarting the function of the token 1 2 with a agnature and the value thus obtained is sent to the infor- 
mation processing unit 1 1 . This is shown in Rg. 19E. 

30 The processing performed by the recovery unit 13 will subsequentiy be descrOsed. When a history is transrratted 
from the information processing unit 1 1 . it is received tTy the history reception unit 25. The history received is stored in 
the Nstory holding unit 26 and also delivered to the signature verification unit 29. The signature verification unit 29 
selects the public key of the token 12 connected to the information processing unit 1 1 which has transmitted tiie history 
from among the plurality of token public keys stored in the token public-key holding unit 28, artd verifies the signature of 

35 the history using the public key. The verified result is held together with the history stored in the history holding unit 26. 
When the reception of the history is conpleted. the history verification unit 27 starts operating. The history verifi- 
cation unit 27 refers to not only the history received now but also the result of verifying the signature affixed thereto. If 
the result of verifying the agnature is incorrect, processing thereafter is not performed. If the result of verifying the sig- 
nature is correct, it is further verified whether the contents of the signature are correct. 

40 The process of verifying the contents of the signature is performed as follows: 

(1) It is assumed that the line of the history sent is as follows: 

(idi. huo), (id2, tiui), (ids. hu2),.... (idn, hun-i), sign (hun) where id = information klerrtifier. hu = verification value at 
a point of time the history is created, and sign Q = sign of the token. 
45 (2) The verification value sent by the token previously is found out of the history hdding unit and defined as Hould. 

(3) The verification value huo is taken out of the initial history (IDi. huo) of the utilization history that has been sent 
to make it certain whether the verification value is equal to Hould. 

(4) Subsequently. (IDi. huo) is calculated to make it certain whether the (IDi. huo) conforms to hui. 

(5) This step is repeatedly taken up to the final verification value hu,, likewise. 

so (6) On cofKirtion that the utilization history has passed every inspection., it is regarded as being correct. 

Only when the history is judged correct through ^e verification process, the final verification value hUn is sent to 
the signature verification unit, so that a digital signature is provided by means of the public key of the center. Then the 
verification value with the signature of the center is sent badk to the information processing unit from which the history 
55 has been transferred. 

With the arrangement above, since the function of the token is stopped at a certain point of time, the user of the 
information processing unit has to send a conrect history to the center in order to restart the function of the token. There- 
fore, the user can be urged to recover the history. 
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Since the final verification value is recorded on the center side, verification is proved 1o be simply unsuccessful 
even .n a case where the correct history sent from the token is partially destroyed for some rea^o^^^ ^J^ 

' ..eSs;:ssretr:^^:^rvi^^^^ 
. rth?h's.T~"'"'^°'*^^'^^'^'^^^^"'°^^^ 

. *.f f^^nr sent to the center is constructed as shown in Rg. 20. for example At this time it 

IS assumed that a history 25 has been lost by accident on the information processing unit side 

of = H-^*^ *® verification value shown above at only the last position. the verification 

,5 h^n ^^fh ^r^^'^'"'^"^- '^°'-^^'"g «»fe<^t»«t the contents Of from tSes12r 

15 been lost, their correctness remains unverifiable. " «> ■ iiave noi 

by .ns^ng verrf^catran values wrth signatures halfway throughout More specifically, histories from 1 to 10 ie 
verrfiable by a venficaton value 1 with a signature; histories from 11 to 23 ^a verifiition value 2^ aJ^r^^ 

tion;sr™rs^rats^^e™ 

In order to materiafize the arrangement above, a decision unit for deciding whether the toad is low is provided in the 

.s srre^sSTtor'^"^^'"^''*^'^^"^"^ 

Moreova-. it may be ananged that the verification value with the signature is output by the infomiation oioceasino 
unrt fliat IS. in compliance with a request from the user unless the token does theoperLS ^^^^SZ 

i^oTti ! Sl"^"^ ^ r'"^*^" ^'"^ ^ ^'3"^*^^ "P^"9 "'^ ^^rification value and returSttVe JSS 
cation value to the mfbrmalion processing unit 11. ■ m lu u le verm 

Further, time information as the utilization history is made retrievable by letting the token have the dock function 

11 r •"*>^'"aton IS used. The ctock unit has an ordinary clock functfon and shouW only funS^ 

t'ST. . "^."^^ T- ^^^^ made by holding the date including yeaS^ d^ 
Tri^nSl *° -nclude the time in the history, it is only needed to couple the time infection to^etrSmtiS 

^rc^^^ "'^^^ "^^^ *^ verification value held thereby at that point of time 

embodiment of the invention, a count instead of the verification value may be output whenTe 

2S S oil^ ""^ "^"^^ ^ ^ Ihe^nlTeld at 

^^!^f^'^- *° P^ent invention, data is not stored in the protective apparatus to reduce the 

S to"btlr^ r ^^'^^^ theprotective apparatus, and a verification viue havingTS^^J^^fdS 
. IT Co"s«1uentiy. the storage capacity and the necessary processing ca^biBties of ^pTrted^ 

iSSSe Snlfr^ "^"^'"^ order-restoring information to S data to make K ^rdrorj^t; 

restorable Since the relevant processing is made continuously performable when the protective apparatus receives a 
value resultng from providing thesignatureofaright person for the data heU by the protective iS^^ 

the data th^efrom. Therefore, verrfication data is sent to the right person at all times to ensure that the verification data 
hv^n ^^^^^^-P^rt^^fedatafedestroyedorlftelike. most of tiie remaining data cSTteJeSSceSS 
by outputting the verificabon value with ttie signature frecpjentiy. venriea ror certain 

tioo 11!^?'^°'?^ d^iption of a preferred embodiment of tfie invention has been presented for purposes of illustra- 
^on and descnption it is not intended to be exhaustive or to limit the invention to the precise form disSS Sid^- 
?S er!^ variations are pos^l^e in light of the above teachings or may be acquir^ from piacticToT^fe i^i^ 
The embod-ment was chosen and described in order to explain the principles of the invention and rts practical ap^S- 
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tion to enable one sKilled in the art to utilize the invention in various embodiments and with various modifications as are 
suited to the particular use contenptated. It is intended that the scope of the invention be defined by the daims 
appended hereto, and their equivalents. 

5 Claims 

1 . A data verifying method, comprising the steps of: 

creating a verification value of a data body inside a protective apparatus from a verification value of tiie relevant 
10 data body out of a plurality of data bodies generated in sequence and a verification value of a data body pre- 

cecfing the relevant data body; 

creating a verification value with a signature by adding a digital signature inside the protective apparatus to the 
verification value created for the last data body out of the plurality of data bodies tube v^tfied at a time; 
sending the verification value with the signature outside from the protective apparatus; and 
IS verifying the plurality of data bodies t>ased on the plurality of data bodies and the verification value with the 3g- 

nature. 

2. An apparatus for creating data to be verified, said apparatus comprising: 

20 means for gen^ating data txxiies in sequence; 

verification value storage means for storing verification values; 

verification value creation means for creating a new verification value from the verification value stored in the 
verification value storage means and a newly generated data lx)dy and updating the verification value stored 
in the verification value storage means to the new verification value; and 
25 signature means for attaching a signature to the verification value stored in the verification value storage 

means at predetermined timing; 

wherein saki verification value creation means, said verification value storage means and said signature 
means are installed in a protective apparatus. 

30 3. A data verifying apparatus, conprtsing: 

a plurality of data kxxlies generated in sequence; 

means for receving a verification value with a signature resulting from providing a signature for the verification 
value calculated from tiie plurality of data bodies; 
35 signature verifying means for verifying the signature on the verification value received; and 

verifying means for verifying the correctness of the plurality of data lx>dies received from the verification value 
with the ^gnature verified by the signature verifying means. 

4. A history holding method for holding in a protective apparati^ only a verification value resulting from sequential cal- 
40 culations with respect to a group of history data comprising: 

a plurality of continuous history data, and providing a signature tor only the verification value when the verifi- 
cation value is output from the protective apparatus outside. 

45 5- A history holding apparatus comprising: 

data input means for inp>utting a plurality of continuous data; 
data processing means for processing the data; 

verification value creation means for creating a verification value with history data relevant to the data process- 
ing and the verification value held at this point of time as inputs; 
verification value holding means for holding the verification value thus created; and 
signature means for providing a signature foi;^e verification value; 

wherein said verification value creation means, said verification value holding means and said signature 
means are at least installed in a protective aiiparatus. 

A history holding apparatus as claimed in claim 5, wherein unidirectional functions are used for calculations appli- 
cable to said verification value creation means. 
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7. A history holding apparatus as claimed in claim 5. wherein the history data is in the form of a combination of the 
history data txxiy and the verif ication value at the time the history data is processed. 

8. A Nstory holding apparatus as claimed in daim 5. further comprising counter means for counting each time data s 
processed, wherein the history data in the history data group is in the fonn of a combination of the count when the 
data is processed and a Nstory body 

9. A history holdng apparatus as claimed in claim 5. wherein the verification value with the signature is output in com- 
pliance with a user's request 

10. A history holding apparati^ as claimed in daim 5, wherein the history holding means conprising a sinqle CPU with 
software; arKi 

wherein when the load of the CPU applied by the data processing means is low, the signature means cre- 
ates and outputs the venfication value with the proper signature. 

11. A history holcfing apparatus as claimed in claim 5. further comprising function halt means for slopping the function 
of the data processing means at a point of time the verification value is output until a proper instruction is given from 
the outskie. ^ 

12. A history holding apparatus as claimed in claim 11, further conrprising haft condition holding means for stopping 
the function, wherein when tfie conditions described in the halt condition holding means are met. the function halt 
means outputs the verification value vwth the signature written thereto and stops its function. 

1 3. A history holding apparatus as claimed in claim 1 1 . further comprising proper public-key holding means for holding 
a public key of an external right person, wherein the function halt means verifies that an accepting instruction is 
intended to restore the function corresponding to the lastiy-output verification value provided with a digital signature 
made by tiie external right person and tfiat by verifying the signature with the public key held by the proper public- 
key holding means at the time of receiving the instruction, whether or not the verification value witii the signature is 
equal to the verification value held by the verification value holding means. 

14. A history verifying afparatus comprising: 

data input means for inputting a verification value with a signature, tiie signature being provided for the verifi- 
cation vahje calculated ft-om a plurality of continuous history data in grotp and from the data groips- 
^nature verifying means for verifying the signature of tiie verification value tiius received witti the signature; 

verifying means for verifying tiie correctness of the data group received from the data group received and the 
verification value whose signature has been verified. 

15. A history verifying apparatus as claimed in daim 14, furttier comprising previous verification value storage means 
for storing the verification value received the last time; 

wherein the verifying means ennploys the previous verification value when making verification. 

16. A history verifying apparatus as daimed in daim 14. wherein tiie calculations for use in said verifying means are 
based on unidirectional functions. 

17. A history verifying apparatus as daimed in daim 14. v»rherein tiie history data is in tiie form of a combination of tiie 
history data body and the verification value at the time tiie history data is processed. 

1 8. A history verifying apparatus as claimed in daim 1 4, wherein tiie history data in ttie history data group is in tiie form 
of a combination of the value of tiie counter when the data is processed and a history body 

19. A history holcfing apparatus conrprising: "'^ 

data storage means for holding data; 

halt conditfon holding means for hdding predetermined conditions at tiie time tiie function is stopped* 
function halt means for stopping tiie fonction when tiie conditions held in the halt condition hdding mUns are 
met and keeping tiie function stopped until a proper instruction is received from tiie outside; 
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private-key holding means for holding a private key; 

digital signature means for providing a digtai signature using the private key held In the private-key holding 

means for the data group held In data holding means; 

digital signature holding means for holding the digital signature affixed; and 

proper pul^ic-key holding means for holding the public key of an external right person, wherein the function halt 
means verifies that an accepting instruction is intended to restore the function corresponding to the digital sig- 
nature provided by the external right person for the cfgital signature held in the digital signature holding means 
and that by verifying the signature with the pi±>lic key held by the proper pubOc-key holding means at the time 
of receiving the instruction, whether or not the value with the signature Is equal to the value held by the digital 
signature holding means. 

20. An electronic equipment comprising: 

function halt means for stopping at least part of the function of an electronic equipment body when predeter- 
mined conditions are met; 
means for oulputting predetermined data cxjtskJe; 

means for receiving data with a signature, the data being created by providirtg the signature for the predeter- 
mined data; 

signature verifying means for verifying the agnature with respect to the data with the signature; and 

means for releasing the halt state of that part of the function when the correctness of the signature of the data 

with the signature is verified by the signature verifying means. 

21 . A conrputer program product for effecting interaction between a data creation ^Dparatus and a data recovery appa- 
fBius for recovering data bodies that are output from the data creation apparatus, which conprises means for gen- 
erating the data txxiies in sequence, verification value holding mear^ for hofdirtg verification values, verification 
value creation means for creating a new verification value from the verifk:ation value heid in the verification value 
holding means and a newly generated data body and updating the verification value held in the verification value 
holding means to the new verification value, and signature means for attaching a signature to the verification value 
held in the verification value holding means at predetermined tinrung. characterized by causing a computer to take 
the steps of: 

storing the data txxiy that is output from the data creation ^Dparatus and the verification value provided with 
the signature, and 

sending tiie data body and the verification value with tiie signature thus stored tiierein to the data recovery 
apparatus at predetermined timing. 
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FIG.4 
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FIG.8 
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FIG.9 
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FIG.14 
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